[Bro-Dev] Bro HTTP midstream inspection

[Stephen Baker]

All,

When running Bro, I see a lot of midstream sessions due to long lived TCP
connections that have connected before starting Bro.  The Bro conn state is
correct "OTH" but I would like to inspect the streams that are in
progress.  Is there a recommended way to process midstream TCP with Bro?


For a test I modified HTTP_Analyzer::DeliverStream to allow midsteam
inspection.

  if ( TCP() && TCP()->IsPartial() )
- return;
-
+ {
+ if ( allow_midstream_pickup )
+ {
+ Weird("Processing in midstream_client_HTTP_data");
+ }
+ else
+ {
+ return;
+ }
+ }

Is there any issues with a change similar to this for HTTP?  I would expect
that not all HTTP logs would be properly filled out for a connection that
was already established and possible some weird log entries about the http
headers. The changes does allow the logging of HTTP transactions on
existing TCP connection with no issues so far doing testing.  I just want
to make sure that a better way to deal with existing connections or reasons
why Bro should not look at HTTP in midstream.

Thanks,
Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20170221/807891a9/attachment.html